PACKET ANALYSIS |
| 2017-09-29 | Lorna Hutcheson | Good Analysis = Understanding(tools + logs + normal) |
| 2017-01-28 | Lorna Hutcheson | Packet Analysis - Where do you start? |
| 2012-05-23 | Mark Baggett | IP Fragmentation Attacks |
| 2012-02-07 | Jim Clausing | Book Review: Practical Packet Analysis, 2nd ed |
PACKET |
| 2025-01-30/a> | Guy Bruneau | PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary] |
| 2025-01-07/a> | Yee Ching Tok | PacketCrypt Classic Cryptocurrency Miner on PHP Servers |
| 2024-10-17/a> | Guy Bruneau | Scanning Activity from Subnet 15.184.0.0/16 |
| 2024-03-03/a> | Guy Bruneau | Capturing DShield Packets with a LAN Tap [Guest Diary] |
| 2023-02-01/a> | Jesse La Grew | Rotating Packet Captures with pfSense |
| 2022-11-29/a> | Johannes Ullrich | Packet Tuesday Episode 3: TCP Urgent Flag. https://packettuesday.com |
| 2022-02-26/a> | Guy Bruneau | Using Snort IDS Rules with NetWitness PacketDecoder |
| 2021-06-17/a> | Daniel Wesemann | Network Forensics on Azure VMs (Part #1) |
| 2021-04-10/a> | Guy Bruneau | Building an IDS Sensor with Suricata & Zeek with Logs to ELK |
| 2021-01-30/a> | Guy Bruneau | PacketSifter as Network Parsing and Telemetry Tool |
| 2021-01-05/a> | Johannes Ullrich | Netfox Detective: An Alternative Open-Source Packet Analysis Tool |
| 2020-05-31/a> | Guy Bruneau | Windows 10 Built-in Packet Sniffer - PktMon |
| 2019-05-19/a> | Guy Bruneau | Is Metadata Only Approach, Good Enough for Network Traffic Analysis? |
| 2019-02-24/a> | Guy Bruneau | Packet Editor and Builder by Colasoft |
| 2017-09-29/a> | Lorna Hutcheson | Good Analysis = Understanding(tools + logs + normal) |
| 2017-09-17/a> | Guy Bruneau | rockNSM as a Incident Response Package |
| 2017-04-13/a> | Rob VandenBrink | Packet Captures Filtered by Process |
| 2017-03-03/a> | Lorna Hutcheson | BitTorrent or Something Else? |
| 2017-01-28/a> | Lorna Hutcheson | Packet Analysis - Where do you start? |
| 2016-12-27/a> | Guy Bruneau | Using daemonlogger as a Software Tap |
| 2016-11-05/a> | Xavier Mertens | Full Packet Capture for Dummies |
| 2016-06-15/a> | Richard Porter | Warp Speed Ahead, L7 Open Source Packet Generator: Warp17 |
| 2014-06-04/a> | Richard Porter | p0f, Got Packets? |
| 2014-03-18/a> | Mark Hofman | Call for packets dest 5000 or source 6000 |
| 2014-02-04/a> | Johannes Ullrich | Odd ICMP Echo Request Payload |
| 2014-01-31/a> | Chris Mohan | Looking for packets from three particular subnets |
| 2013-12-01/a> | Richard Porter | BPF, PCAP, Binary, hex, why they matter? |
| 2013-11-13/a> | Johannes Ullrich | Packet Challenge for the Hivemind: What's happening with this Ethernet header? |
| 2013-06-05/a> | Richard Porter | Wireshark 1.10.0 Stable Released http://www.wireshark.org/download.html |
| 2013-05-19/a> | Kevin Shortt | Port 51616 - Got Packets? |
| 2013-04-13/a> | Johannes Ullrich | Protocol 61: Anybody got packets? |
| 2012-09-13/a> | Mark Baggett | TCP Fuzzing with Scapy |
| 2012-05-23/a> | Mark Baggett | IP Fragmentation Attacks |
| 2012-05-14/a> | Mark Hofman | Got packets? Interested in TCP/8909, TCP/6666, TCP/9415, TCP/27977 and UDP/7 |
| 2012-02-07/a> | Jim Clausing | Book Review: Practical Packet Analysis, 2nd ed |
| 2011-08-30/a> | Johannes Ullrich | A Packet Challenge: Help us identify this traffic |
| 2011-03-07/a> | Lorna Hutcheson | Call for Packets - Unassigned TCP Options |
| 2011-01-25/a> | Johannes Ullrich | Packet Tricks with xxd |
| 2011-01-15/a> | Jim Clausing | What's up with port 8881? |
| 2010-09-28/a> | Daniel Wesemann | Strange packet: "daylight rekick", anyone? |
| 2010-09-16/a> | Johannes Ullrich | A Packet a Day |
| 2010-02-16/a> | Johannes Ullrich | Teredo "stray packet" analysis |
| 2009-11-18/a> | Rob VandenBrink | Using a Cisco Router as a “Remote Collector” for tcpdump or Wireshark |
| 2009-05-07/a> | Jim Clausing | A packet challenge and how I solved it |
| 2009-05-01/a> | Adrien de Beaupre | Odd packets |
| 2008-11-17/a> | Jim Clausing | A new cheat sheet and a contest |
| 2008-09-22/a> | Jim Clausing | More on tools/resources/blogs |
| 2008-06-07/a> | Jim Clausing | What's going on with these ports? Got packets? |
| 2008-05-26/a> | Marcus Sachs | Port 1533 on the Rise |
| 2008-04-27/a> | Marcus Sachs | What's With Port 20329? |
| 2008-04-25/a> | Joel Esler | Some packets perhaps? |
| 2008-04-16/a> | William Stearns | Passer, a aassive machine and service sniffer |
| 2008-03-23/a> | Johannes Ullrich | Finding hidden gems (easter eggs) in your logs (packet challenge!) |
| 2006-10-17/a> | Arrigo Triulzi | Hacking Tor, the anonymity onion routing network |
ANALYSIS |
| 2025-04-02/a> | Guy Bruneau | Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive [Guest Diary] |
| 2025-03-06/a> | Guy Bruneau | DShield Traffic Analysis using ELK |
| 2025-01-09/a> | Guy Bruneau | Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics [Guest Diary] |
| 2024-12-17/a> | Guy Bruneau | Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary] |
| 2024-12-11/a> | Guy Bruneau | Vulnerability Symbiosis: vSphere?s CVE-2024-38812 and CVE-2024-38813 [Guest Diary] |
| 2024-10-17/a> | Guy Bruneau | Scanning Activity from Subnet 15.184.0.0/16 |
| 2024-09-25/a> | Guy Bruneau | OSINT - Image Analysis or More Where, When, and Metadata [Guest Diary] |
| 2024-09-18/a> | Guy Bruneau | Time-to-Live Analysis of DShield Data with Vega-Lite |
| 2024-09-11/a> | Guy Bruneau | Hygiene, Hygiene, Hygiene! [Guest Diary] |
| 2024-08-27/a> | Guy Bruneau | Vega-Lite with Kibana to Parse and Display IP Activity over Time |
| 2024-08-16/a> | Jesse La Grew | [Guest Diary] 7 minutes and 4 steps to a quick win: A write-up on custom tools |
| 2024-06-13/a> | Guy Bruneau | The Art of JQ and Command-line Fu [Guest Diary] |
| 2024-05-28/a> | Guy Bruneau | Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs [Guest Diary] |
| 2024-04-29/a> | Guy Bruneau | Linux Trojan - Xorddos with Filename eyshcjdmzg |
| 2024-03-29/a> | Xavier Mertens | Quick Forensics Analysis of Apache logs |
| 2024-02-25/a> | Guy Bruneau | Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary] |
| 2024-02-03/a> | Guy Bruneau | DShield Sensor Log Collection with Elasticsearch |
| 2023-11-17/a> | Jan Kopriva | Phishing page with trivial anti-analysis features |
| 2023-02-04/a> | Guy Bruneau | Assemblyline as a Malware Analysis Sandbox |
| 2023-01-21/a> | Guy Bruneau | DShield Sensor JSON Log to Elasticsearch |
| 2023-01-08/a> | Guy Bruneau | DShield Sensor JSON Log Analysis |
| 2022-07-29/a> | Johannes Ullrich | PDF Analysis Intro and OpenActions Entries |
| 2022-07-18/a> | Didier Stevens | Adding Your Own Keywords To My PDF Tools |
| 2022-06-01/a> | Jan Kopriva | HTML phishing attachments - now with anti-analysis features |
| 2021-04-10/a> | Guy Bruneau | Building an IDS Sensor with Suricata & Zeek with Logs to ELK |
| 2021-04-06/a> | Jan Kopriva | Malspam with Lokibot vs. Outlook and RFCs |
| 2021-01-30/a> | Guy Bruneau | PacketSifter as Network Parsing and Telemetry Tool |
| 2021-01-14/a> | Bojan Zdrnja | Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file |
| 2020-12-03/a> | Brad Duncan | Traffic Analysis Quiz: Mr Natural |
| 2020-11-11/a> | Brad Duncan | Traffic Analysis Quiz: DESKTOP-FX23IK5 |
| 2020-10-01/a> | Daniel Wesemann | Making sense of Azure AD (AAD) activity logs |
| 2020-09-20/a> | Guy Bruneau | Analysis of a Salesforce Phishing Emails |
| 2020-06-01/a> | Jim Clausing | Stackstrings, type 2 |
| 2020-05-02/a> | Guy Bruneau | Phishing PDF with Unusual Hostname |
| 2020-01-25/a> | Guy Bruneau | Is Threat Hunting the new Fad? |
| 2020-01-12/a> | Guy Bruneau | ELK Dashboard and Logstash parser for tcp-honeypot Logs |
| 2019-12-29/a> | Guy Bruneau | ELK Dashboard for Pihole Logs |
| 2019-12-07/a> | Guy Bruneau | Integrating Pi-hole Logs in ELK with Logstash |
| 2019-11-23/a> | Guy Bruneau | Local Malware Analysis with Malice |
| 2019-10-18/a> | Xavier Mertens | Quick Malicious VBS Analysis |
| 2019-06-27/a> | Rob VandenBrink | Finding the Gold in a Pile of Pennies - Long Tail Analysis in PowerShell |
| 2019-06-14/a> | Jim Clausing | A few Ghidra tips for IDA users, part 4 - function call graphs |
| 2019-04-17/a> | Jim Clausing | A few Ghidra tips for IDA users, part 2 - strings and parameters |
| 2019-04-08/a> | Jim Clausing | A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code |
| 2019-04-03/a> | Jim Clausing | A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters |
| 2019-03-31/a> | Didier Stevens | Maldoc Analysis of the Weekend by a Reader |
| 2019-02-27/a> | Didier Stevens | Maldoc Analysis by a Reader |
| 2018-11-18/a> | Guy Bruneau | Multipurpose PCAP Analysis Tool |
| 2018-10-21/a> | Pasquale Stirparo | Beyond good ol’ LaunchAgent - part 0 |
| 2018-08-31/a> | Jim Clausing | Quickie: Using radare2 to disassemble shellcode |
| 2018-06-01/a> | Remco Verhoef | Binary analysis with Radare2 |
| 2017-09-29/a> | Lorna Hutcheson | Good Analysis = Understanding(tools + logs + normal) |
| 2017-07-09/a> | Russ McRee | Adversary hunting with SOF-ELK |
| 2017-04-28/a> | Russell Eubanks | KNOW before NO |
| 2017-01-28/a> | Lorna Hutcheson | Packet Analysis - Where do you start? |
| 2016-12-24/a> | Didier Stevens | Pinging All The Way |
| 2016-10-30/a> | Pasquale Stirparo | Volatility Bot: Automated Memory Analysis |
| 2016-10-17/a> | Didier Stevens | Maldoc VBA Anti-Analysis: Video |
| 2016-10-15/a> | Didier Stevens | Maldoc VBA Anti-Analysis |
| 2016-05-14/a> | Guy Bruneau | INetSim as a Basic Honeypot |
| 2016-04-21/a> | Daniel Wesemann | Decoding Pseudo-Darkleech (Part #2) |
| 2015-05-03/a> | Russ McRee | VolDiff, for memory image differential analysis |
| 2014-07-05/a> | Guy Bruneau | Malware Analysis with pedump |
| 2014-04-21/a> | Daniel Wesemann | Finding the bleeders |
| 2014-03-13/a> | Daniel Wesemann | Web server logs containing RS=^ ? |
| 2014-01-14/a> | Chris Mohan | Spamming and scanning botnets - is there something I can do to block them from my site? |
| 2013-10-28/a> | Daniel Wesemann | Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities |
| 2013-06-18/a> | Russ McRee | Volatility rules...any questions? |
| 2013-05-11/a> | Lenny Zeltser | Extracting Digital Signatures from Signed Malware |
| 2013-03-09/a> | Guy Bruneau | IPv6 Focus Month: IPv6 Encapsulation - Protocol 41 |
| 2013-02-03/a> | Lorna Hutcheson | Is it Really an Attack? |
| 2013-01-08/a> | Jim Clausing | Cuckoo 0.5 is out and the world didn't end |
| 2012-12-02/a> | Guy Bruneau | Collecting Logs from Security Devices at Home |
| 2012-09-19/a> | Kevin Liston | Volatility: 2.2 is Coming Soon |
| 2012-09-14/a> | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-06-21/a> | Russ McRee | Analysis of drive-by attack sample set |
| 2012-06-04/a> | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2012-05-23/a> | Mark Baggett | IP Fragmentation Attacks |
| 2012-03-03/a> | Jim Clausing | New automated sandbox for Android malware |
| 2012-02-07/a> | Jim Clausing | Book Review: Practical Packet Analysis, 2nd ed |
| 2011-05-20/a> | Guy Bruneau | Sysinternals Updates, Analyzing Stuxnet Infection with Sysinternals Tools Part 3 |
| 2011-04-14/a> | Adrien de Beaupre | Sysinternals updates, a new blog post, and webcast |
| 2011-02-01/a> | Lenny Zeltser | The Importance of HTTP Headers When Investigating Malicious Sites |
| 2010-08-09/a> | Jim Clausing | Free/inexpensive tools for monitoring systems/networks |
| 2010-07-21/a> | Adrien de Beaupre | autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198) |
| 2010-05-26/a> | Bojan Zdrnja | Malware modularization and AV detection evasion |
| 2010-04-11/a> | Marcus Sachs | Network and process forensics toolset |
| 2010-03-26/a> | Daniel Wesemann | Getting the EXE out of the RTF again |
| 2010-02-13/a> | Lorna Hutcheson | Network Traffic Analysis in Reverse |
| 2010-01-14/a> | Bojan Zdrnja | PDF Babushka |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicious PDFs |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicous PDFs (Part #2) |
| 2009-11-25/a> | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-11-03/a> | Bojan Zdrnja | Opachki, from (and to) Russia with love |
| 2009-09-25/a> | Lenny Zeltser | Categories of Common Malware Traits |
| 2009-07-26/a> | Jim Clausing | New Volatility plugins |
| 2009-07-02/a> | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-04-15/a> | Marcus Sachs | 2009 Data Breach Investigation Report |
| 2009-03-13/a> | Bojan Zdrnja | When web application security, Microsoft and the AV vendors all fail |
| 2009-02-10/a> | Bojan Zdrnja | More tricks from Conficker and VM detection |
| 2009-02-09/a> | Bojan Zdrnja | Some tricks from Conficker's bag |
| 2009-01-18/a> | Daniel Wesemann | 3322. org |
| 2009-01-15/a> | Bojan Zdrnja | Conficker's autorun and social engineering |
| 2009-01-07/a> | Bojan Zdrnja | An Israeli patriot program or a trojan |
| 2009-01-02/a> | Rick Wanner | Tools on my Christmas list. |
| 2008-12-13/a> | Jim Clausing | Followup from last shift and some research to do. |
| 2008-11-17/a> | Marcus Sachs | New Tool: NetWitness Investigator |
| 2008-11-17/a> | Jim Clausing | Finding stealth injected DLLs |
| 2008-09-03/a> | Daniel Wesemann | Static analysis of Shellcode - Part 2 |
| 2008-07-07/a> | Pedro Bueno | Bad url classification |
| 2006-10-02/a> | Jim Clausing | Reader's tip of the day: ratios vs. raw counts |
| 2006-09-18/a> | Jim Clausing | Log analysis follow up |
| 2006-09-09/a> | Jim Clausing | Log Analysis tips? |
| 2006-09-09/a> | Jim Clausing | A few preliminary log analysis thoughts |
